InfoSec Handlers Diary Blog

An ISC reader wrote in alerting us to unconfirmed reports that organizations and some government agencies are received "unexpected" shipments of USB thumb drives. Don't know if it's true or not, but with the holidays upon us it bears reminding that USB devices received in suspicious ways often are loaded with hostile software. Sometimes, even commercial off-the-shelf USB devices like photo frames and the like can be infected (see: the Digital Hijackers ISC diary from last Christmas).

It remains a favorite trick of pentesters to throw USB keys infected with malware around for a low-tech vector of an attack in an organization. Trade shows and the like, even a better venue (and you can target by industry or organization). A colleague told me that his favorite trick was to mark a USB thumb drive as "Joe's Bachelor Party Pictures" for that extra "incentive" to get people to plug the device in.

If you're an organization and receive USB keys, even promotional swag, do a low-level format first. If you buy a USB storage device from the store, wipe it first (especially the annoying U3 devices). Sometimes vendors ship USB keys with firmware updates that can be infected (see this example involving HP firmware, there was also a report for Checkpoint Firewall firmware too). Those devices can't be low-level formatted, but a quick "media check" for hidden goodness may be warranted.

There's no such thing as a free lunch, but there is such a thing as free malware. Cavaet Emptor.

If you've had such shipments of unknown USB devices, let us know so we can coorelate data.